fix: timestamp grace for legacy manifests (#1502)

Disable TSA trust check for 1.x legacy manifests
Fix TSA check to follow spec and only use system trust list
Remove default OCSP fetching from our settings sample toml
Fix broken unit test

Author: mauricefisher64

cli/tests/fixtures/trust/cawg_sign_settings.toml

@@ -4,7 +4,7 @@
 version = 1
 
 # Trust settings for certificate validation.
-# [trust]
+[trust]
 # String to user-provided trust anchors (PEM format).
 # user_anchors = ""
 # String to system trust anchors (PEM format).
@@ -406,8 +406,8 @@ tsa_url = "http://timestamp.digicert.com"
 
 # Configuration for the `Builder`.
 [builder]
-certificate_status_fetch = "all"
-certificate_status_should_override = true
+#certificate_status_fetch = "all"
+#certificate_status_should_override = true
 
 # Claim generator info list.
 [builder.claim_generator_info]

cli/tests/fixtures/trust/cawg_test_settings.toml

@@ -1,5 +1,5 @@
 [verify]
-trusted = true
+verify_trust = true
 
 [trust]
 trust_config = """

sdk/src/claim.rs

@@ -1911,6 +1911,11 @@ impl Claim {
         let sig = claim.signature_val();
         let additional_bytes: Vec<u8> = Vec::new();
 
+        let mut adjusted_settings = settings.clone();
+        if claim.version() == 1 {
+            adjusted_settings.verify.verify_timestamp_trust = false;
+        }
+
         // use the signature uri as the current uri while validating the signature info
         validation_log.push_current_uri(to_signature_uri(claim.label()));
 
@@ -1956,7 +1961,7 @@ impl Claim {
             svi.certificate_statuses.get(&certificate_serial_num),
             svi.timestamps.get(claim.label()),
             validation_log,
-            settings,
+            &adjusted_settings,
         )?;
 
         let verified = verify_cose(
@@ -1967,11 +1972,17 @@ impl Claim {
             ctp,
             svi.timestamps.get(claim.label()),
             validation_log,
-            settings,
+            &adjusted_settings,
         );
 
-        let result =
-            Claim::verify_internal(claim, asset_data, svi, verified, validation_log, settings);
+        let result = Claim::verify_internal(
+            claim,
+            asset_data,
+            svi,
+            verified,
+            validation_log,
+            &adjusted_settings,
+        );
         validation_log.pop_current_uri();
         result
     }

sdk/src/crypto/cose/certificate_trust_policy.rs

@@ -58,6 +58,9 @@ pub struct CertificateTrustPolicy {
 
     /// passthrough mode
     passthrough: bool,
+
+    /// Use only system trust for this check
+    trust_anchors_only: bool,
 }
 
 impl Default for CertificateTrustPolicy {
@@ -68,6 +71,7 @@ impl Default for CertificateTrustPolicy {
             end_entity_cert_set: HashSet::default(),
             additional_ekus: HashSet::default(),
             passthrough: false,
+            trust_anchors_only: false,
         };
 
         this.add_valid_ekus(include_bytes!("./valid_eku_oids.cfg"));
@@ -98,6 +102,7 @@ impl CertificateTrustPolicy {
             end_entity_cert_set: HashSet::default(),
             additional_ekus: HashSet::default(),
             passthrough: false,
+            trust_anchors_only: false,
         }
     }
 
@@ -109,6 +114,7 @@ impl CertificateTrustPolicy {
             end_entity_cert_set: HashSet::default(),
             additional_ekus: HashSet::default(),
             passthrough: true,
+            trust_anchors_only: false,
         }
     }
 
@@ -341,6 +347,19 @@ impl CertificateTrustPolicy {
         }
     }
 
+    /// Set whether we only want to use system trust_achors and ignores user_anchors,
+    /// returns last trust_anchors_value
+    pub fn set_trust_anchors_only(&mut self, trust_anchors_only: bool) -> bool {
+        let val = self.trust_anchors_only;
+        self.trust_anchors_only = trust_anchors_only;
+        val
+    }
+
+    /// Get whether we only want to use system trust_achors and ignores user_anchors
+    pub fn trust_anchors_only(&self) -> bool {
+        self.trust_anchors_only
+    }
+
     /// Remove all trust anchors, private credentials, and EKUs previously
     /// configured.
     pub fn clear(&mut self) {

sdk/src/crypto/cose/ocsp.rs

@@ -298,7 +298,7 @@ fn check_stapled_ocsp_response(
             if check_end_entity_certificate_profile(
                 &ocsp_certs[0],
                 ctp,
-                validation_log,
+                &mut current_validation_log,
                 tst_info.as_ref(),
             )
             .is_err()
@@ -320,7 +320,7 @@ pub(crate) fn fetch_and_check_ocsp_response(
     sign1: &CoseSign1,
     data: &[u8],
     ctp: &CertificateTrustPolicy,
-    _tst_info: Option<&TstInfo>,
+    tst_info: Option<&TstInfo>,
     validation_log: &mut StatusTracker,
     settings: &Settings,
 ) -> Result<OcspResponse, CoseError> {
@@ -340,10 +340,13 @@ pub(crate) fn fetch_and_check_ocsp_response(
 
     let ocsp_response_der = ocsp_der;
 
-    let signing_time: Option<DateTime<Utc>> =
-        validate_cose_tst_info(sign1, data, ctp, validation_log, settings)
+    // use supplied override time if provided
+    let signing_time: Option<DateTime<Utc>> = match tst_info {
+        Some(tst_info) => Some(tst_info.gen_time.clone().into()),
+        None => validate_cose_tst_info(sign1, data, ctp, validation_log, settings)
             .ok()
-            .map(|tst_info| tst_info.gen_time.clone().into());
+            .map(|tst_info| tst_info.gen_time.clone().into()),
+    };
 
     // Check the OCSP response, but only if it is well-formed.
     // Revocation errors are reported in the validation log.

sdk/src/crypto/raw_signature/openssl/check_certificate_trust.rs

@@ -68,7 +68,7 @@ pub(crate) fn check_certificate_trust(
     let mut store_ctx = X509StoreContext::new()?;
     if store_ctx.init(&store, cert.as_ref(), &cert_chain, |f| f.verify_cert())? {
         Ok(TrustAnchorType::System)
-    } else {
+    } else if !ctp.trust_anchors_only() {
         // try the user trust anchors
         let mut builder = openssl::x509::store::X509StoreBuilder::new()?;
         builder.set_flags(X509VerifyFlags::X509_STRICT)?;
@@ -89,5 +89,7 @@ pub(crate) fn check_certificate_trust(
         } else {
             Err(CertificateTrustError::CertificateNotTrusted)
         }
+    } else {
+        Err(CertificateTrustError::CertificateNotTrusted)
     }
 }

sdk/src/crypto/raw_signature/rust_native/check_certificate_trust.rs

@@ -120,22 +120,24 @@ pub(crate) fn check_certificate_trust(
         }
 
         // Check against user provided trust anchors.
-        for (anchor_cert, anchor_der) in &user_anchors {
-            if chain_cert.issuer() == anchor_cert.subject() {
-                let data = chain_cert.tbs_certificate.as_ref();
-                let sig = chain_cert.signature_value.as_ref();
+        if !ctp.trust_anchors_only() {
+            for (anchor_cert, anchor_der) in &user_anchors {
+                if chain_cert.issuer() == anchor_cert.subject() {
+                    let data = chain_cert.tbs_certificate.as_ref();
+                    let sig = chain_cert.signature_value.as_ref();
 
-                let sig_alg = cert_signing_alg(&chain_cert);
+                    let sig_alg = cert_signing_alg(&chain_cert);
 
-                let result = verify_data(anchor_der, sig_alg, sig, data);
+                    let result = verify_data(anchor_der, sig_alg, sig, data);
 
-                match result {
-                    Ok(b) => {
-                        if b {
-                            return Ok(TrustAnchorType::User);
+                    match result {
+                        Ok(b) => {
+                            if b {
+                                return Ok(TrustAnchorType::User);
+                            }
                         }
+                        Err(_) => continue,
                     }
-                    Err(_) => continue,
                 }
             }
         }

sdk/src/crypto/time_stamp/verify.rs

@@ -533,21 +533,26 @@ pub fn verify_time_stamp(
         // the certificate must be on the trust list to be considered valid
         let verify_trust = settings.verify.verify_timestamp_trust;
 
-        if verify_trust
-            && ctp
+        if verify_trust {
+            // per the spec TSA trust can only be checked against the system trust list not the user trust list
+            let mut adjusted_ctp = ctp.clone();
+            adjusted_ctp.set_trust_anchors_only(true);
+
+            if adjusted_ctp
                 .check_certificate_trust(&cert_ders[0..], &cert_ders[0], Some(signing_time))
                 .is_err()
-        {
-            log_item!(
-                "",
-                format!("timestamp cert untrusted: {}", &common_name),
-                "verify_time_stamp"
-            )
-            .validation_status(TIMESTAMP_UNTRUSTED)
-            .informational(&mut current_validation_log);
+            {
+                log_item!(
+                    "",
+                    format!("timestamp cert untrusted: {}", &common_name),
+                    "verify_time_stamp"
+                )
+                .validation_status(TIMESTAMP_UNTRUSTED)
+                .informational(&mut current_validation_log);
 
-            last_err = TimeStampError::Untrusted;
-            continue;
+                last_err = TimeStampError::Untrusted;
+                continue;
+            }
         }
 
         log_item!(

sdk/src/store.rs

@@ -576,6 +576,10 @@ impl Store {
     ) -> Result<Vec<u8>> {
         let claim_bytes = claim.data()?;
 
+        // no verification of timestamp trust while signing
+        let mut adjusted_settings = settings.clone();
+        adjusted_settings.verify.verify_timestamp_trust = false;
+
         let tss = if claim.version() > 1 {
             TimeStampStorage::V2_sigTst2_CTT
         } else {
@@ -587,7 +591,7 @@ impl Store {
                 // Let the signer do all the COSE processing and return the structured COSE data.
                 return signer.sign(&claim_bytes); // do not verify remote signers (we never did)
             } else {
-                cose_sign(signer, &claim_bytes, box_size, tss, settings)
+                cose_sign(signer, &claim_bytes, box_size, tss, &adjusted_settings)
             }
         } else {
             if signer.direct_cose_handling() {
@@ -616,7 +620,7 @@ impl Store {
                             &self.ctp,
                             None,
                             &mut cose_log,
-                            settings,
+                            &adjusted_settings,
                         )
                     } else {
                         verify_cose_async(
@@ -627,7 +631,7 @@ impl Store {
                             &self.ctp,
                             None,
                             &mut cose_log,
-                            settings,
+                            &adjusted_settings,
                         )
                         .await
                     };
@@ -1575,7 +1579,7 @@ impl Store {
 
                     // allow the extra ingredient trust checks
                     // these checks are to prevent the trust spoofing
-                    let check_ingredient_trust: bool = settings.verify.check_ingredient_trust;
+                    let check_ingredient_trust: bool = settings.verify.verify_trust;
 
                     // get the 1.1-1.2 box hash
                     let ingredient_hashes = store.get_manifest_box_hashes(ingredient);
@@ -2062,18 +2066,26 @@ impl Store {
 
                 // save the valid timestamps stored in the StoreValidationInfo
                 // we only use valid timestamps, otherwise just ignore
+                let mut adjusted_settings = settings.clone();
+                let original_trust_val = adjusted_settings.verify.verify_timestamp_trust;
                 for (referenced_claim, time_stamp_token) in timestamp_assertion.as_ref() {
                     if let Some(rc) = svi.manifest_map.get(referenced_claim) {
+                        if rc.version() == 1 {
+                            // no trust checks for leagacy timestamps
+                            adjusted_settings.verify.verify_timestamp_trust = false;
+                        }
+
                         if let Ok(tst_info) = verify_time_stamp(
                             time_stamp_token,
                             rc.signature_val(),
                             &self.ctp,
                             validation_log,
-                            settings,
+                            &adjusted_settings,
                         ) {
                             svi.timestamps.insert(rc.label().to_owned(), tst_info);
                         }
                     }
+                    adjusted_settings.verify.verify_timestamp_trust = original_trust_val;
                 }
             }
 
@@ -4276,11 +4288,19 @@ impl Store {
     ) -> Result<Vec<(String, Vec<u8>)>> {
         let mut oscp_response_ders = Vec::new();
 
+        let mut adjusted_settings = settings.clone();
+        let original_trust_val = adjusted_settings.verify.verify_timestamp_trust;
+
         for manifest_label in manifest_labels {
             if let Some(claim) = self.claims_map.get(&manifest_label) {
                 let sig = claim.signature_val().clone();
                 let data = claim.data()?;
 
+                // no timestamp trust checks for 1.x manifests
+                if claim.version() == 1 {
+                    adjusted_settings.verify.verify_timestamp_trust = false;
+                }
+
                 let sign1 = parse_cose_sign1(&sig, &data, validation_log)?;
                 let ocsp_response_der = if _sync {
                     fetch_and_check_ocsp_response(
@@ -4309,6 +4329,7 @@ impl Store {
                     oscp_response_ders.push((manifest_label, ocsp_response_der));
                 }
             }
+            adjusted_settings.verify.verify_timestamp_trust = original_trust_val;
         }
 
         Ok(oscp_response_ders)

sdk/tests/fixtures/test_settings_with_cawg_signing.toml

@@ -408,8 +408,8 @@ tsa_url = "http://timestamp.digicert.com"
 
 # Configuration for the `Builder`.
 [builder]
-certificate_status_fetch = "all"
-certificate_status_should_override = true
+#certificate_status_fetch = "all"
+#certificate_status_should_override = true
 
 # Claim generator info list.
 [builder.claim_generator_info]